{{1}}
1. From the protection of personal data to Privacy By Design
As a reminder, the first generation of personal data protection appeared in the 1970s: the States of the Organization for Economic Cooperation and Development (OECD) set up a general legal framework in order to regulate practices in the treatment of individuals' personal information through various texts. As an example, we can cite the guidelines governing the “protection of privacy and cross-border flows of personal data” .¹
The second generation For its part, it allows the creation of personal data protection authorities. The European Directive on “the protection of natural persons with regard to the processing of personal data and the free movement of such data” of 1995is one of the flagship texts of this second generation. However, from that point on, some personalities such as Yves Poullet, university professor and director of the Commission for the Protection of Privacy (CRID) for 12 years, argue that such a regime cannot be fully effective without the involvement of the various actors involved, and in particular, the concrete involvement of companies in the design of their computer system for processing data.
Finally, the third generation of personal data protection is illustrated by the entry into force of the RGPD on May 25, 2018. In particular, it includes the establishment of an obligation for any company to respect the protection of personal data from the design of their data processing system. This concept is called Privacy by Design. The aim is to optimize data protection by intervening at the outset, from the design of the tools. This therefore makes it possible to reduce as much as possible the risks of collection and inappropriate use of personal data and thus to increase the confidence of users in the use of the services offered.
{{2}}
2. Privacy by design, a concept legally enshrined in the RGPD
a. Definition of Privacy by design and origin of the concept
The concept of privacy by design, or Privacy by design in English, is based on the following principle: the protection of the privacy of all users must take place from the design stage of computer systems. The aim is therefore to prevent breaches of confidentiality at an early stage. by putting technology at the service of privacy.
This principle was developed in 1999 by Ann Cavoukian, former Information and Privacy Commissioner of the State of Ontario. Ann Cavoukian developed seven fundamental principles that companies must respect in order to fully respect Privacy by Design. These principles include:
- Principle 1 —” Proactive and non-reactive measures”: It's about taking action and preventing incidents before they even happen. These measures are therefore not intended to offer any solution to resolve breaches of privacy that have already occurred.
- Principle 2 —” Ensuring the implicit protection of privacy ”: Protection measures are integrated into computer systems implicitly, without the user having to perform any maneuver to benefit from them.
- Principle 3 —” Integrating privacy into the design of systems and practices” : Privacy by design measures are incorporated into the design of the architecture of computer systems, they are not “grafted” into it afterwards.
- Principle 4 — “Ensuring full functionality according to a positive sum paradigm and not a zero sum paradigm”: This principle is intended to ensure that data protection does not take precedence over the smooth running of business. Indeed, the protective measures must not affect the effectiveness of the software and computer systems concerned.
b. The recent integration of the concept into positive law
The concept of Privacy by Design is taken up and integrated into positive law in article 25 of the RGPD, called “data protection by design and data protection by default”.
The article states in its first paragraph that “the data controller implements, both at the time of determining the means of treatmentAnd that water time of treatment itself, Of appropriate technical and organizational measures, such as pseudonymization, which are intended to implement data protection principles ”.
Article 25§1 therefore provides that is the responsibility of the data controller and its subcontractors to comply with an obligation to protect by design. This protection must take place :
- “Both at the time of determining the means of treatment ”, that is to say during the design and development of treatment systems,
- “Only at the time of the treatment itself”, that is to say during data processing by the computer system.
In order to ensure such protection, data controllers must put in place specific technical or organizational measures. In concrete terms, Article 25 gives as an example a measure that may fall within the framework of this system: pseudonymization. The aim here is to preserve the confidential nature of the information by preventing any direct or indirect identification of the natural person, using an alias or a customer number for example.
Article 25§1 also indicates that the data controller determines these measures based, in particular, on the state of current knowledge, their cost, the scope and the purpose of the treatment.
This article therefore proposes some measures to put in place and guides the data controller in how to select them. However, it does not explain the concept of “protection by design” by itself. This is why, even today, we refer to the seven principles developed by Ann Cavoukian in 1999 to understand the content of the principle of Privacy by Design.
{{3}}
3. Scope and limits of Privacy by Design
a. Dissuasive sanctions
The National Commission for Informatics and Freedoms (CNIL) is the independent administrative authority responsible for ensuring the compliant application of the RGPD, and all the more so, in compliance with the concept of Privacy by Design. The various offenses are sanctioned gradually according to their severity: sanctions range from a simple warning to a fine of up to 20 million euros or 4% of global turnover if it is a company. In addition, damages may be paid to the persons concerned when they have been the victims of harm.
Concretely, in the event that a company is controlled by the CNIL, It must be in a position to demonstrate the actions taken to respect the principle of Privacy by Design. If the authority considers that the measures are insufficient, sanctions could therefore be imposed.
b. The other side of the coin
However, there is a negative aspect to the regulatory advance of Privacy by Design. Indeed, businesses can, under the guise of the principle of Privacy by Design, disguise certain practices for exploiting privacy.
In this context, mention should be made of Google's new approach, the Federated Learning of Cohorts (FLoC), to behavioral advertising. The FLoC was designed, in principle, to meet new requirements for the protection of privacy on a global scale and in particular to the concept of “privacy by design” and data minimization. The aim is to classify users into groups (“cohort”) based on their browsing behavior. Each group is identified by a “cohort ID,” and only information from the group to which the user belongs is transmitted to websites and marketers. The advertisements will therefore be targeted according to the cohort group to which the user belongs, without other information (browsing history, individualized profiling, etc.) being transmitted to them.
However, this tool is nonetheless a data processing tool and, under the guise of privacy protection, it only allows a switch from one mode of monitoring users to another mode of monitoring, just as efficient.
Indeed, according to the Electronic Frontier Foundation, an international NGO for the protection of Internet freedoms based in San Francisco: “Google's speech to privacy advocates is that a world with FLoC will be better than the current one, where data brokers and advertising giants track and profile with impunity. But this framework is based on a false premise that we have to choose between “old follow-up” and “new follow-up.” It's not one or the other. Instead of reinventing the tracking wheel, we should imagine a better world without the myriad problems of targeted advertising.”
¹ CODE, Guidelines on privacy protection and cross-border flows of personal data (Paris, OECD, 1981).
